In order to access network resources, a user enters identification and password information into a client computer that is transmitted to a server computer over a computer network for authentication. In turn, the server computer authenticates the client computer using the password and identification information, thereby allowing access to network resources. If the connection with the server computer is terminated, the user must re-enter the identification and password information into the client computer in order to re-authenticate and reconnect with the server computer. The user must re-enter the information because the password is not stored on the client computer for security reasons.
A “credential” can be issued to the client computer for facilitating the reconnect procedure. The credential is data that is used to prove the identity of the subject. In this instance, the credential is used by the client computer to authenticate the client computer to the server computer such that the user does not need to re-enter or store on the client computer the password information. There is no need for the client computer to transmit the identification and password information to the server computer if the client computer has the credential because the credential ensures with a high degree of reliability that the client computer should have access.
The credential is generated by a trusted third party (TTP) such as the type used with the Kerberos system. The TTP issues the credential that allows the client computer to authenticate itself to the server computer. The credential may be time limited and encrypted by the TTP using a symmetric algorithm and decrypted/verified by the server computer using the same. The TTP is used for a large aggregation of machines and contains all of the keys used for authentication by both users and machines.
A drawback with the TTP is that it requires significant infrastructure and is a separate entity that must be configured. Furthermore, the configuration information must be present on all of the server computers. Therefore, in order to implement a change, all of the machines (i.e. client and server computers), as well as the TTP, must be re-configured. Another drawback of the TTP is that it is a high value target because it contains all of the keys used for authentication.
Another type of authentication mechanism is pretty good privacy (PGP Ticket). A TTP (e.g., server administrator) issues a credential to a client computer that allows the server computer to authenticate the client computer. The credential issued to the client computer is time limited and digitally signed by the TTP using commonly known public key technology. The credential is interpreted/verified by the server computer.
A drawback with PGP Ticket is that the security and verifiability of the TTP's public key is weak. Furthermore, a change to the TTP's key requires revoking all of the old keys and updating all of the server computers and client computers with new keys. Additionally, if the TTP's key is compromised, then all of the server computers that rely on that key are also compromised.